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However, two main problems hinder effective 
inclusion of OCO in deliberate operational plan¬ 
ning. The first problem is that planning staffs 
have misconceptions about OCO capabilities 
and limitations within an operational environ¬ 
ment. Moreover, staffs are uncomfortable with 
the highly classified and technically complex 
aspects of the cyberspace domain because they 
do not understand them. The second problem 
is that OCO do not fit neatly into the joint tar¬ 
geting cycle and require much extra work and 
time to incorporate into deliberate planning. 


Misconceptions About and 
Challenges to the Operational 
Employment of OCO 

Among the many common misconceptions about 
OCO, two are particularly significant. The first 
misconception is that OCO are nonlethal enablers 
that play a marginal role in operations. The second 
is that since details of OCO are either inscrutable 
due to their technical complexity or inaccessible 
due to their classification, they are not worth the 
trouble of trying to employ at an operational level. 

The “iVs just computers” misconception. A 
common perception among planners is that OCO 
are nonlethal means of attacking an opponent’s 
networks, with little physical effect. However, over 
the last decade OCO have become more than just 
a nonlethal enabler like electronic warfare. The 
nature and potential of OCO have not changed 
significantly, but our understanding of them has. 

A revolutionary weapon system typically starts out 
as an asymmetric weapon that can, under favorable 
conditions, be used to counter traditional forms of 
military power. A historical example is the use of 
gunpowder weapons in the hands of the Hussites, a 
band of 15th-century religious dissenters who used 
primitive firearms to defeat armored knights.^ In the 
21st century, offensive cyberspace capabilities can 
give state and nonstate actors a new asymmetric 
weapon to use against traditional seats of power. 

An event in Estonia in 2007 is considered by 
some to represent the first offensive cyberspace 
attack against a nation. It began after the Estonian 
government removed a World War II Soviet war 
memorial commemorating a Russian victory over 
the Nazis.^ The Estonian government suspected 


Russia of coordinating subsequent retaliatory cyber 
strikes at Estonia’s digital infrastructure, government 
command and control (C2), financial institutions, 
and media networks.^ The massive attacks shut 
down government agencies’ emails, published false 
documents, and severely limited Internet access. The 
digital bombardment lasted two weeks and forced 
a major bank, Hansabank, to shut down online 
services for more than an hour; its losses eventually 
were estimated around $1 million."^ The denial and 
disruption of government, media, and financial net¬ 
works caused confusion and chaos without physical 
damage or destruction. The attack did great eco¬ 
nomic damage to Estonia. Coordinating a defensive 
response was very difficult because the attack was 
so widely dispersed—^no single Estonian authority 
was responsible for defense of so many different 
cyberspace assets.^ 

How new asymmetric weapons become inte¬ 
grated into a standard military arsenal. After 
military forces have used a new asymmetric 
weapon successfully, they sometimes adopt it as a 
complement to the traditional military arsenal. For 



HussiteWagon, Alois Niederstatter, 15th century (Archive of the Austrian 
National Library) 
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example, by the 16th century, armies had combined 
muskets with pikes and armored knights. During 
the 2008 Russian-Georgian War, some speculated 
that Russian forces integrated OCO with traditional 
operations to enhance their overall operational 
effectiveness. The Russians evidently conducted 
numerous cyberspace attacks that rendered Geor¬ 
gia’s governmental and media networks inoper¬ 
able.^ These attacks severely disrupted Georgian 
military C2. They were synchronized with the Rus¬ 
sian troops’ crossing of the Georgian border.^ Cyber 
expert Eli Jellenc stated this event represented 
“the birth of true, operational cyber warfare,” as it 
appeared to be the first coordinated usage of cyber 
and conventional attacks on a nation state.^ 

A complementary weapon eventually can evolve 
into a primary weapon. For example, the musket 
equipped with a socket bayonet replaced the pike 
by the early 18th century as the universal infantry 
arm. In 2010, a computer worm known as Stuxnet 
evidently was used as a primary offensive weapon 
to create tangible operational effects. Stuxnet, while 
of unknown origin, was a “fire and forget” program, 
considered the world’s first “cyber missile.”^ The 
program apparently was deployed to sabotage Iran’s 
nuclear fuel-refining centrifuges, which could be 
used to develop weapons-grade uranium, by alter¬ 
ing the electrical current. According to German 


researcher Ralph Langner, the attack may have 
been intended to destroy the centrifuge rotor by 
vibration—which could cause the centrifuge to 
explode—or simply to degrade the output over 
time (by slowing down and speeding up the 
motor).Stuxnet—although delivered through 
what is perceived as a nonphysical and nonlethal 
domain—achieved decidedly physical effects by 
damaging Iranian nuclear facilities. 

The examples from Iran and Georgia show how 
OCO have produced effects ranging from non¬ 
physical harassment and information operations 
through physical damage to key infrastructure. 
Without forces or weapons having direct physical 
contact, OCO can create nonphysical and physi¬ 
cal operational effects. They can shut down air 
defense systems and C2 nodes, open or close a 
dam’s fioodgates, and destroy or damage industrial 
machines such as nuclear centrifuges.^^ Offensive 
cyberspace capabilities, like standard lethal and 
tangible weapons, can be arrows in a JTF com¬ 
mander’s quiver. They can enable a commander to 
address a range of targets efficiently, on their own 
or in conjunction with other weapons. 

The ”I don’t understand it” or can’t get 
to it” misconception. Cyberspace capabilities, 
particularly OCO, tend to be shrouded in secrecy. 
OCO are highly classified because the nature of 
these operations could 
divulge strategic and oper¬ 
ational intentions if they 
are revealed. If a hostile 
power learned about even 
one OCO target under 
development, that power 
could learn much about 
U.S. cyberspace capabili¬ 
ties and a combatant com¬ 
mand’s operations. If cer¬ 
tain enemies learned that 
an operation plan featuring 
them as a target involved 
a cyberspace attack on an 
infrastructure node, they 
could use U.S. military 
doctrine to develop some 
understanding of the plan. 
Further, if technical data 
were compromised, an 



An Iranian technician works at the Uranium Conversion Facility just outside the city of Isfahan 255 miles south of 
Tehran, Iran, 3 February 2007. (AP Photo/Vahid Salemi) 
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opponent could use the data to design and build a 
cyber weapon to attack U.S. or allied interests. 

In addition to the challenges of secrecy, the tech¬ 
nical aspects of cyberspace operations are difficult 
to grasp for those without technical training. This 
is especially so in comparison to traditional weapon 
systems. Cyberspace is not like the traditional physi¬ 
cal domains where we can touch and see all the parts. 
Rather, cyberspace is primarily a virtual realm that 
can be manipulated to achieve real-world effects in 
the air, land, maritime, and space domains. Putting a 
bomb on target is easier to visualize than launching a 
multihost cyber attack that will penetrate a network 
and eventually weaken or destroy a critical system. 

Marginalization by inaccessibility. Whether the 
issue is difficulty in understanding, getting access 
to, or employing technically complex cyberspace 
capabilities—inaccessibility can marginalize OCO 
more than any opponent’s defenses. Unfortunately, 
inaccessibility can make operational planners apa¬ 
thetic about employing OCO. They may regard 
“cyberspace operations” as a buzzword the boss 


wants to pay lip service to rather than a set of weap¬ 
ons and tactics that deliver tangible benefits. At best, 
OCO can become marginalized—employed on the 
fringes of operations as they are not understood, 
not accessible, not easy to employ, and not trusted. 

The joint targeting cycle. In addition to the 
common misconceptions and inaccessibility issues 
surrounding OCO, certain challenges are inher¬ 
ent to fitting OCO into the joint targeting cycle 
(see figure).Two phases of the joint targeting 
cycle—^target development and prioritization, and 
capabilities analysis—have the most significant 
upstream effect on planning the operational employ¬ 
ment of OCO. 

United States Cyber Command (USCYBERCOM) 
coordinates the desired cyberspace effects against 
a target, based on the priorities of the combatant 
commander or JTF commander. During contingency 
planning, the capabilities analysis phase seeks to 
match apportioned assets and ordnance with the 
target and effect desired. Once a target is selected to 
be serviced by traditional means, it is periodically 
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reviewed during the plan review cycle. No further 
resources are expended on maintaining access to 
the target until the plan is executed. By contrast, 
designating a target to be engaged with OCO starts 
the immediate allocation and expenditure of addi¬ 
tional resources. Maintaining and developing a 
target requires a significant amount of time. During 
Operation Odyssey Dawn in 2011, U.S. officials 
debated the use of OCO against Libya but decided 
against it for several reasons—^mainly because of 
time. Analysts at the New York Times reported that 
“in reality it takes significant digital snooping to 
identify potential entry points and susceptible nodes 
in a linked network of communications systems, 
radars and missiles like that operated by the Libyan 
government, and then to write and insert the proper 
poisonous codes.”^^ 

How the joint targeting cycle applies to OCO. 

The first step to engage a target with OCO is to gain 
access to it. Without physical or electronic access 
to the target, it is impossible to proceed with OCO. 
A system linked to the Internet is, in general, more 
accessible, though getting into its targeted portions 
may be challenging due to its own network security 
environment. A closed system, such as the Iranian 
nuclear program, would require insider access to 
gain firsthand knowledge of the computing environ¬ 
ment in the target facility.Once forces gain access 
to a target system, they need to maintain it as long 
as they might wish to strike the target. Network 
upgrades or system changes made in the regular 
maintenance of the target could make it difficult to 
maintain or regain access. The risk from gaining 
access to a system is that an adversary might detect 
the hacking well before the attack. The adversary 
would discover which systems were being tar¬ 
geted. Moreover, discovery would assuredly result 
in access being lost—and the possibility of the 
adversary studying the attack to understand U.S. 
cyberspace operations and develop better defenses 
or even counterattacks. 

Once access is gained, the next step is to learn 
the unique internal attributes of the targeted 
system. Cyber attackers may need to acquire the 
software being targeted so they can determine 
its nature and vulnerabilities. For commercially 
available systems, this is relatively easy to do—a 
copy can be purchased. For rare systems or those 
whose development and use are limited to a given 


country or region, forces might need to obtain 
insider knowledge of the network environment 
(as may have occurred with Stuxnet).^^ Depending 
on the system to be attacked, the code might be 
commented in a language other than English. For 
whatever reason, if USCYBERCOM is unable to 
gain technical insight into the targeted software, 
then OCO cannot proceed; coordinating the proper 
effect is impossible. The JTF commander must 
consider these attributes of OCO when setting target 
priorities during deliberate planning. 

Once USCYBERCOM has coordinated a means 
for continuous access and learned the targeted 
system, they must then coordinate acquisition or 
development of the weapon with which to attack it. 
Some weapons designed to attack common operat¬ 
ing systems such as Windows are commercially 
available. However, systems produced and used 
only in certain countries typically require forces 
to develop weapons from scratch. This becomes a 
software acquisition project, in both the technical 
and legal sense. For purposes of defense acquisition, 
software development projects are more complex 
than physical engineering projects.Developing 
a cyber weapon is a complex challenge for this 
reason and many others. Once a weapon has been 
developed, the attackers must constantly maintain 
access to and monitor the target. They must ensure 
routine system maintenance does not nullify their 
labors until the weapon is employed, or until the 
target is removed from the joint integrated priori¬ 
tized target list (JIPTL). 

OCO force assignment challenges. All of these 
actions require a significant amount of time, perhaps 
months, before anything besides a rudimentary 
attack can be launched with a presumption of suc¬ 
cess. Furthermore, depending on the target and 
its accessibility, a weapon may need to navigate 
through several networks to its intended target. 
According to cyber forensics analysts, Stuxnet 
may have infected its target environment through a 
removable device inserted by a willing or unwitting 
third party or insider.Stuxnet would have needed 
numerous developers working up to six months 
to infect target computers in the Iranian nuclear 
program’s closed network. 

Currently, USCYBERCOM coordinates all OCO, 
with the concurrence of the appropriate combatant 
command. This further complicates the challenge 
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of matching targets to weapons. Not only must a 
combatant command request USCYBERCOM to 
attack a target, but also each target in the command’s 
JIPTL competes for resources against targets in the 
JIPTLs of other commands. USCYBERCOM sorts 
through all of these lists, assigning a global priority 
to individual targets and allocating scarce resources 
to them. Even if USCYBERCOM considers a 
target high priority, the command may not have 
the resources needed to service it. USCYBERCOM 
needs to inform combatant commands and JTFs of 
its ability to service targets on their JIPTLs. 

Onerous legal reviews. Stewart A. Baker, 
former Department of Homeland Security assistant 
secretary for Policy and Technology, suggests that 
U.S. legal interpretation of the Hague Conventions 
reduces the operational utility of OCO.^^He writes 
that “lawyers across the government have raised so 
many show-stopping legal questions about cyber¬ 
war that they’ve left our military unable to fight, or 
even plan for, a war in cyberspace.”^^ 

Part of this legal complexity stems from the 
nature of OCO. As noted above, any but the 
most rudimentary cyberspace attack on an enemy 
requires the acquisition, development, or modifica¬ 
tion of software to engender the effects that a JTF 
commander desires. This brings Department of 
Defense Directive (DODD) 5000.01, The Defense 
Acquisition System, into the process. DODD 
5000.01 requires that “the acquisition or procure¬ 
ment of DOD weapons and weapon systems shall 
be consistent with all applicable domestic law and 
treaties and international agreements.”^^ In regard to 
Air Force operations. Air Force Instruction 51-402 
states that the office of the Judge Advocate General 
of the Air Force will conduct legal reviews of any 
new cyberspace capabilities (including weapons) 
or any contemplated modification of a cyberspace 
capability to ensure legality under the Law of 
Armed Confiict (LOAC), domestic law, and inter¬ 
national law.^^ A traditional attack on a target with 
missiles and bombs only has to pass through legal 
scrutiny during target development and prioritiza¬ 
tion since the weapons being employed have long 
since passed their assessment (per DODD 5000.01) 
during acquisition. By contrast, since cyberspace 
weapons are unique for almost every target. Air 
Force OCO require two legal reviews: one during 
target validation and the second during the acqui¬ 


sition process. This puts conducting OCO at the 
mercy of the most restrictive reading of the LOAC 
by two separate legal teams. 

This constraint, and the general ambiguity 
of how the LOAC applies to cyberspace opera¬ 
tions, has created what Stewart Baker interprets 
as “a cyberwar strategy that simply omitted 

Cyberspace, including OCO 
awareness, should be part of 
every officer's basic accession 
curriculum. 


any plan for conducting offensive operations. 
Apparently, they’re still waiting for all these 
lawyers to agree on what kind of offensive 
operations the military is allowed to mount. 

Solutions 

Clarifying the perception of OCO. Education 
is the key to changing how we think, plan for, and 
employ OCO. Cyberspace, including OCO aware¬ 
ness, should be part of every officer’s basic acces¬ 
sion curriculum. Joint professional military educa¬ 
tion (JPME) level I should include foundational 
cyberspace operations and doctrine for all officers. 
Intermediate and senior officers should study and 
integrate operational and strategic cyberspace 
operations into joint planning through JPME II. In 
addition, capstone courses should include instruc¬ 
tion in the capabilities and limitations of OCO. The 
goal of this education should not be to turn officers 
into cyber specialists, but to give them the same 
basic awareness of this domain that officers who 
are in supporting or combat arms fields have of how 
those in the other fields conduct their profession. 

Not unlike the intricacies of sophisticated conven¬ 
tional weapon systems, the details of OCO should 
remain classified. This is an attribute of cyberspace 
operations that must be taken into account when 
targeting: knowledge of the specific processes by 
which cyber effects are achieved should be limited 
to those with a need to know. The inaccessibility 
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of offensive cyberspace capabilities—to anyone 
not working directly on developing and executing 
them—contributes a level of operational security 
that will support the capability over time. Addition¬ 
ally, maintaining a level of inaccessibility surround¬ 
ing the offensive cyberspace capabilities affords 
the option to mask operational intent. Most joint 
planners do not possess the knowledge or security 
clearance to know how to build a Tomahawk cruise 
missile from scratch; nor should joint planners 
have the access to dissect an offensive cyberspace 
capability. 

An example of this paradox is the espionage virus 
Flame, discovered in 2012 and thought to have 
circulated on the Internet approximately four years 
before detection.^^ According to Debra Van Opstal, 
Flame “exploited the Windows operating system to 
capture audio, screenshots, keyboard activity, and 
network traffic information from infected comput¬ 
ers.”^^ Whoever decided to employ Flame likely did 
not understand the intricacies of its inner workings, 
but they did understand the desired effect. Flame is 
just one example of an offensive cyberspace tool 
that is difficult to detect, but its complex nature 
offers a unique perspective into the level of detail 
required to produce a pervasive cyber effect. The 
challenge for the combatant command and JTF 
staffs is accepting and operating in this borderless 
environment, which may involve hitting the “I 
believe” button when vetting desired, prioritized 
effects through USCYBERCOM. 

Improvements to the joint targeting cycle. 
To better utilize OCO capabilities, joint targeting 
coordination boards (JTCBs) must change how they 
assemble their JIPTLs; they must coordinate cyber 
target nomination with USCYBERCOM. This will 
enable the JTCBs to enhance OCO utilization, while 
fully integrating cyberspace capabilities with the 
traditional land, air, and sea power. 

Iterative capabilities analysis. Each JTCB 
should have a cyberspace representative assigned 
to it. The representative should be coequal with the 
joint force air, land, and maritime component com¬ 
mand representatives. The cyberspace representa¬ 
tive should provide a cyberspace target nomination 
list to the JTCB. When the JTCB begins to synthe¬ 
size the target nomination lists into the draft JIPTL, 
the cyberspace representative can coordinate the 
draft JIPTL with USCYBERCOM. With this infor¬ 


mation, USCYBERCOM can inform the JTCB as 
to which targets are considered susceptible to OCO, 
enabling the board to better shape the JIPTL. In 
addition, this practice will allow USCYBERCOM 
to look for possible synergies with work it is already 
undertaking for other plans. This information shar¬ 
ing will shape the design of the JIPTL and enable 
the JTCB to integrate OCO into its design. 

To get the best results from OCO, the JTCB 
also needs to ensure that targets for OCO are 
enduring. The JTCB needs to focus on the effects 
needed rather than how the effects are generated. 
Enduring targets are necessary because they allow 
USCYBERCOM to most efficiently coordinate 
resources and avoid chasing fieeting targets. An 
enduring target should be one that will persist 
through multiple plan review cycles. This gives 
USCYBERCOM enough time to develop the weap¬ 
ons needed to engage it successfully. Moreover, a 
focus on effects will enable USCYBERCOM to 
propose alternate courses of action to the JTCB. 
This will allow the JTCB to maintain focus on the 
big picture rather than the details of OCO. The 
cyberspace representative to the JTCB should be 
more than capable of deconfiicting and coordinating 
OCO with the rest of the JIPTL. 

Coordination of global OCO assignment. Each 
JTCB must remain fiexible regarding its JIPTL, as 
USCYBERCOM’s requirement to provide global 
support means that resources may shift. Whether for 
priority changes or other reasons, not every target 
on every JIPTL will be serviced. USCYBERCOM 
must inform each JTCB of the status of its targets, 
especially when priorities change, as this may have 
a significant effect on a command’s JIPTL. Each 
JTCB must prepare itself for this possibility by 
developing branch JIPTLs that refiect the lack of 
access to a cyberspace target. This again requires 
the JIPTL to be continuously reviewed and updated 
instead of sitting on the shelf until the next operation 
plan review. The direct link afforded by the cyber¬ 
space representative makes this less onerous, but it 
will require the JTCB to conduct extra research and 
planning to meet the commander’s desired end state. 
The temptation remains, of course, to ignore or 
marginalize cyberspace capabilities because using 
them would cause frustration and extra work. The 
JTCB must weigh the potential payoff of OCO with 
the extra workload this may infiict during deliberate 
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planning. However, successful integration of OCO 
can enable a JTF to expand its reach beyond what 
traditional fires assets would allow, and to husband 
those assets for more suitable targets. 

Consolidated legal review. The legal challenges 
facing a JTCB seem daunting, but the board can 
address them in a way that satisfies the combatant 
commander’s requirements. While the details of 
rules of engagement and target legitimacy reside 
in the realm of law, it is, especially with new tech¬ 
nologies, a subjective field. The use of two distinct 
legal processes—in the target development and 
prioritization process described in Joint Publica¬ 
tion 3-60 and the acquisitions process described in 
DODD 5000.01—to approve the development and 
employment of a cyber weapon is redundant and 
overuses scarce legal resources. 

Instead, USCYBERCOM should conduct 
both legal reviews. The legal review during 
target development and prioritization should be 
skipped for cyberspace targets. USCYBERCOM 
should conduct an initial and final LOAC review 
while coordinating with the JTCB during the 
cyber weapon development. Moreover, since 
cyber weapons are custom crafted to engage a 
specific target, the legal team can conduct the 
legal reviews mandated by DODD 5000.01 as 


well as target validation. USCYBERCOM, in 
coordination with the cyberspace representative, 
should have the technical expertise to review 
and assist in the weapon development. This will 
enhance the effectiveness of OCO development 
and employment. Furthermore, since the legal 
review team is not part of the combatant com¬ 
mand, there is less opportunity for “group think” 
or command influence to warp the process. 

Conclusion 

OCO offer potent tools for a combatant com¬ 
mand or JTF commander. However, our own inter¬ 
nal friction—manifested as misunderstanding, 
inaccessibility, and slowly evolving processes— 
has not allowed us to take full advantage of these 
capabilities. None of the solutions described above 
are particularly costly, nor do they involve pur¬ 
chasing equipment or adding to the force structure. 
Rather, they focus on developing our people and 
processes so they are more prepared to engage 
an adversary in all domains. While implement¬ 
ing these solutions would be a long-term effort, 
delaying implementation only would enable the 
problem to fester, effectively denying use of OCO 
to joint force commanders. MR 
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